+1, I support editing the pages to focus on a simple config that just changes X-Forwarded headers.
I created the HAProxy wiki page while testing the HTTP duplex CLI mode with various reverse proxies, so I am fully to blame :) I had no prior knowledge about HAProxy and pieced together a working config based on some googling, so please edit the page if there is something much simpler that will work! I think a lot of the complexity in these pages comes from things that many users don’t need (for example, serving static files directly, using a different context path, special buffering and/or timeout options to get the HTTP duplex CLI working, or a fix for a random issue specific to one user’s environment). I am hesitant to delete these settings from the wiki outright, but we should at least move them into a clearly labeled subsection that explains why they should and shouldn’t be used (for example, turning off request buffering might get the HTTP duplex CLI mode working, but it might also tank performance). > On Feb 7, 2018, at 08:39, 'Marco Brondani' via Jenkins Developers > <jenkinsci-dev@googlegroups.com> wrote: > > +1 to this. > I’m using a very similar configuration in my own setup. > And I see that the X-Forwarded* headers on Apache without rewrite rules get > the Job done as well. > > Cheers > > > From: Stephen Connolly <mailto:stephen.alan.conno...@gmail.com> > Sent: Wednesday, February 7, 2018 2:10 PM > To: jenkinsci-dev@googlegroups.com <mailto:jenkinsci-dev@googlegroups.com> > Subject: Eh why are we suggesting such a complex reverse proxy configuration? > > https://twitter.com/connolly_s/status/961223121981399040 > <https://twitter.com/connolly_s/status/961223121981399040> > > for example, here is a working haproxy configuration without any crazy > rewrite rules: > > frontend jenkins > mode http > bind *:80 > use_backend jenkins > > frontend jenkins-tls > mode https > bind *:443 crt /path/to/server.pem > use_backend jenkins > > backend jenkins > mode http > option forwardfor > http-request set-header X-Forwarded-Host %[req.hdr(Host)] > http-request del-header X-Forwarded-Port > http-request set-header X-Forwarded-Proto https if { ssl_fc } > server jenkins jenkins.internal.example.com:8080 > <http://jenkins.internal.example.com:8080/> check > > and that works perfectly fine, no reverse proxy warnings, all urls generated > correctly irrespective of the url you access the reverse proxy with. > > I would love to know why we are pushing much more complex and brittle (and > probably subtly broken... cough > https://issues.jenkins-ci.org/browse/JENKINS-44006 > <https://issues.jenkins-ci.org/browse/JENKINS-44006> and similar cough cough > > Don't get me started on how complex all the other configurations are for > apache, iis, squid, nginx, etc > > I suspect all could be simplified to just set X-Forwarded-Host to the Host > header (and remove any X-Forwarded-Port that evil hacker injected in their > request to the reverse proxy) or parse the Host header and set > X-Forwarded-Host to the parsed requested hostname and X-Forwarded-Port to the > parsed requested port... no rewrite rules... and everyone would be happy. > > Thoughts? > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com > <mailto:jenkinsci-dev+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMyCVRaSkqOJEVH7BLt_%2B4o2n57wbLyD3wcEUCknDKkH4w%40mail.gmail.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/CA%2BnPnMyCVRaSkqOJEVH7BLt_%2B4o2n57wbLyD3wcEUCknDKkH4w%40mail.gmail.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "Jenkins Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jenkinsci-dev+unsubscr...@googlegroups.com > <mailto:jenkinsci-dev+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jenkinsci-dev/5a7b01a9.11b8500a.2b51a.8357%40mx.google.com > > <https://groups.google.com/d/msgid/jenkinsci-dev/5a7b01a9.11b8500a.2b51a.8357%40mx.google.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/0951BAF0-7C24-4A5B-B25D-745A9FFD4616%40cloudbees.com. For more options, visit https://groups.google.com/d/optout.